Jump to content

mrdob

Members
  • Content Count

    1
  • Joined

  • Last visited

About mrdob

  • Rank
    Newbie
  • Birthday 01/01/1970

Profile Information

  • Interests
    SUPERANTISPYWARE
  1. mrdob

    New malware

    After visiting a less-than-savory website, my WinXP Pro SP3 system began encountering (not surprisingly) some spontaneous IE sessions and pop-up windows, with sound--despite the fact that iexplore.exe wasn't even ACTIVE. Unfortunately, neither the current versions of Ad Aware, AVG Anti-Spyware, Trend Micro online scan, nor SUPERAntispyware were able to identify or the eliminate the problem. When this particular malware instantiates itself, an entry would appear on my Windows task list: 5i3524v1.exe. Although I would end the process tree, it would invariably respawn itself. Oddly, a Google search on this file yielded NO results. I searched my C: drive and found this file and an apparent mate, 5i3524v1.exe.a_a, in my \system32 folder, and performed a hard delete of them. And yet still, some time later, both the these files AND the spawned task would manifest themselves again. I searched again and used the Detail view in Explorer to sort the files by creation date. Three other files had the same date/time stamp as the offending ones: RC3B1t8.exe, R4C3B1t8.exe.a_a, and yIqmpbVo.dll. I appended all five files with a ! character to keep them from launching. (Yep, nothing on Google for these, either!) Next, I searched the registry and found this REG_SZ entry under Software|Microsoft|Windows|ShellNoRoam|MUICache: C:\WINDOWS\system32\R4C3B1t8.exe with a value of R4C3B1t8 Renaming/deleting the files and and the corresponding registry entry seemed to do the trick. I saved the renamed files in a ZIP archive for analysis if anyone's interested.
×
×
  • Create New...